default:
  interruptible: true

stages:
  - prepare
  - deploy
  - post-deploy
  - qa
  - post-qa
  - dast

include:
  - local: .gitlab/ci/cng/main.gitlab-ci.yml
  - local: .gitlab/ci/global.gitlab-ci.yml
  - local: .gitlab/ci/review-apps/rules.gitlab-ci.yml
  - local: .gitlab/ci/review-apps/qa.gitlab-ci.yml
  - local: .gitlab/ci/review-apps/dast.gitlab-ci.yml
  - local: .gitlab/ci/review-apps/dast-api.gitlab-ci.yml

.base-before_script: &base-before_script
  - source ./scripts/utils.sh
  - source ./scripts/review_apps/review-apps.sh

dont-interrupt-me:
  extends: .rules:dont-interrupt
  stage: prepare
  interruptible: false
  script:
    - echo "This jobs makes sure this pipeline won't be interrupted! See https://docs.gitlab.com/ee/ci/yaml/#interruptible."

review-build-cng-env:
  extends:
    - .review-build-cng-env
    - .default-retry
    - .review:rules:review-build-cng
    - .fast-no-clone-job
  variables:
    # We use > instead of | because we want the files to be space-separated.
    FILES_TO_DOWNLOAD: >
      GITALY_SERVER_VERSION
      GITLAB_ELASTICSEARCH_INDEXER_VERSION
      GITLAB_KAS_VERSION
      GITLAB_METRICS_EXPORTER_VERSION
      GITLAB_PAGES_VERSION
      GITLAB_SHELL_VERSION
      scripts/trigger-build.rb
      VERSION
  before_script:
    - apk add --no-cache --update curl # Not present in ruby-alpine, so we add it manually
    - !reference [".fast-no-clone-job", before_script]
    - !reference [".review-build-cng-env", before_script]
    - mv VERSION GITLAB_WORKHORSE_VERSION # GITLAB_WORKHORSE_VERSION is a symlink to VERSION

review-build-cng:
  extends:
    - .review-build-cng
    - .review:rules:review-build-cng
  needs: ["review-build-cng-env"]

.review-workflow-base:
  image: ${REVIEW_APPS_IMAGE}
  retry:
    max: 2  # This is confusing but this means "3 runs at max"
  variables:
    HOST_SUFFIX: "${CI_ENVIRONMENT_SLUG}"
    DOMAIN: "-${CI_ENVIRONMENT_SLUG}.${REVIEW_APPS_DOMAIN}"
    GITLAB_HELM_CHART_PROJECT_URL: "https://gitlab.com/gitlab-org/charts/gitlab"
    GITLAB_HELM_REPO_URL: "https://charts.gitlab.io"
    GITLAB_REPO_URL: ${CI_PROJECT_URL}
    GITLAB_IMAGE_REPOSITORY: "registry.gitlab.com/gitlab-org/build/cng-mirror"
    GITLAB_IMAGE_SUFFIX: "ee"
    GITLAB_REVIEW_APP_BASE_CONFIG_FILE: "scripts/review_apps/base-config.yaml"
    GITLAB_HELM_CHART_REF: "75b1486a9aec212d0f49ef1251526d8e51004bbc"  # 7.0.1: https://gitlab.com/gitlab-org/charts/gitlab/-/commit/75b1486a9aec212d0f49ef1251526d8e51004bbc
  environment:
    name: review/${CI_COMMIT_REF_SLUG}${SCHEDULE_TYPE}  # No separator for SCHEDULE_TYPE so it's compatible as before and looks nice without it
    url: https://gitlab-${CI_ENVIRONMENT_SLUG}.${REVIEW_APPS_DOMAIN}
    on_stop: trigger-review-stop

review-deploy:
  extends:
    - .review-workflow-base
    - .review:rules:review-deploy
    - .fast-no-clone-job
  stage: deploy
  image: ${GITLAB_DEPENDENCY_PROXY_ADDRESS}dtzar/helm-kubectl:3.9.3
  needs:
    - review-build-cng
    - review-delete-deployment  # We always want to start from a clean slate (i.e. no helm release, no k8s namespace)
  cache:
    key: "review-deploy-dependencies-charts-${GITLAB_HELM_CHART_REF}-v1"
    paths:
      - "gitlab-${GITLAB_HELM_CHART_REF}"
  environment:
    action: start
  variables:
    # We use > instead of | because we want the files to be space-separated.
    FILES_TO_DOWNLOAD: >
      GITALY_SERVER_VERSION
      GITLAB_SHELL_VERSION
      scripts/review_apps/review-apps.sh
      scripts/review_apps/seed-dast-test-data.sh
      VERSION
  before_script:
    - apk add --no-cache --update curl # Not present in ruby-alpine, so we add it manually
    - !reference [".fast-no-clone-job", before_script]
    - mv VERSION GITLAB_WORKHORSE_VERSION # GITLAB_WORKHORSE_VERSION is a symlink to VERSION
    - export GITLAB_SHELL_VERSION=$(<GITLAB_SHELL_VERSION)
    - export GITALY_VERSION=$(<GITALY_SERVER_VERSION)
    - export GITLAB_WORKHORSE_VERSION=$(<GITLAB_WORKHORSE_VERSION)
    - echo "${CI_ENVIRONMENT_URL}" > environment_url.txt
    - echo "QA_GITLAB_URL=${CI_ENVIRONMENT_URL}" > environment.env
    - *base-before_script
    - !reference [".use-kube-context", before_script]
  script:
    - run_timed_command "retry delete_helm_release"
    - run_timed_command "check_kube_domain"
    - run_timed_command "download_chart"
    - run_timed_command "deploy" || (display_deployment_debug && exit 1)
    - run_timed_command "verify_deploy" || (display_deployment_debug && exit 1)
    - run_timed_command "disable_sign_ups" || (display_deployment_debug && exit 1)
    - run_timed_command "verify_commit_sha" || (display_deployment_debug && exit 1)
  after_script:
    # Run seed-dast-test-data.sh only when DAST_RUN is set to true. This is to pupulate review app with data for DAST scan.
    # Set DAST_RUN to true when jobs are manually scheduled.
    - if [ "$DAST_RUN" == "true" ]; then source scripts/review_apps/seed-dast-test-data.sh; TRACE=1 trigger_proj_user_creation; fi
  artifacts:
    paths:
      - environment_url.txt
      - curl-logs/
    reports:
      dotenv: environment.env
    expire_in: 7 days
    when: always

review-deploy-sample-projects:
  extends:
    - .review-workflow-base
    - .review:rules:review-deploy
  stage: deploy
  needs: ["review-deploy"]
  environment:
    action: prepare
  before_script:
    - export GITLAB_SHELL_VERSION=$(<GITLAB_SHELL_VERSION)
    - export GITALY_VERSION=$(<GITALY_SERVER_VERSION)
    - export GITLAB_WORKHORSE_VERSION=$(<GITLAB_WORKHORSE_VERSION)
    - echo "${CI_ENVIRONMENT_URL}" > environment_url.txt
    - *base-before_script
    - !reference [".use-kube-context", before_script]
  script:
    - date
    - create_sample_projects

.review-stop-base:
  extends: .review-workflow-base
  timeout: 15min
  environment:
    action: stop
  variables:
    # We're cloning the repo instead of downloading the script for now
    # because some repos are private and CI_JOB_TOKEN cannot access files.
    # See https://gitlab.com/gitlab-org/gitlab/issues/191273
    GIT_DEPTH: 1

review-delete-deployment:
  extends:
    - .review-stop-base
    - .review:rules:review-delete-deployment
  dependencies: []
  stage: prepare
  before_script:
    - source ./scripts/utils.sh
    - source ./scripts/review_apps/review-apps.sh
    - !reference [".use-kube-context", before_script]
  script:
    - retry delete_helm_release

trigger-review-stop:
  extends:
    - .review-stop-base
    - .review:rules:trigger-review-stop
  stage: deploy
  needs: []
  before_script:
    - source ./scripts/utils.sh
    - install_gitlab_gem
  script:
    - review_stop_job_id="$(scripts/api/get_job_id.rb --pipeline-id "${PARENT_PIPELINE_ID}" --job-name "review-stop")"
    - |
      curl --request POST --header "Private-Token: ${PROJECT_TOKEN_FOR_CI_SCRIPTS_API_USAGE}" "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/jobs/${review_stop_job_id}/play"
